Yes, Virginia, the FBI Can Read Your Email

A news story today at CNet documents an ACLU disclosure that the FBI doesn’t think it needs a warrant to get certain types of emails, Facebook chats, and Twitter direct messages.

And you know what? The FBI is right.

This story isn’t, and shouldn’t be, about the FBI as a bogeyman; the FBI is rationally exploiting legislation that allows them to use whatever means they can to investigate. This story should be about a Congress that has failed to update electronic privacy protection laws as the necessity of electronic storage has accelerated. The law lets the FBI obtain some types of electronic communication without a warrant. The law, passed in 1986, is the Stored Communications Act (SCA). The SCA came at at a time when electronic storage available to the public was in its infancy and requires federal or state officials to obtain a warrant for “the contents of a wire of electronic communication” that have been “in electronic storage” for less than 180 days.

This is the warrant requirement we’re all familiar with: a law enforcement official must present a judge with evidence demonstrating that there is probable cause to believe the electronic communication contains evidence of a crime.

But what if your communication has been in storage for more than 180 days? Your protections go way down: suddenly, a law enforcement official can get at your emails with something much less than probable cause, using a subpoena. The evidentiary standard for a subpoena is that the law enforcement official must show that the evidence to be seized is relevant to an investigation. In addition, some jurisdictions allow subpoenas to be issued by court clerks, without a judge being involved.

In 1986, this actually made sense: with 20 megabytes of disk storage costing $1000 or more, companies with big data centers routinely erased old data to save money, on the presumption that users who left data around more than six months didn’t want them. Now, with several terabytes of storage (that’s several million megabytes) costing a few hundred bucks, a “remote computing service” like Google can basically store all of your data forever. Suddenly, the necessity is the opposite of what is was in 1986: we’re keeping data in electronic storage because they’re most important to us, not because we want to abandon them.

But as times have changed, the SCA has not. Even the definition of “electronic storage” is in question. In a 2003 case called Theofel v. Farey-Jones, the Ninth Circuit Court of Appeals had to determine whether emails that had been stored on the ISP’s server pending delivery were in “electronic storage” or the much less-protected “temporary, intermediate storage.” The Ninth Circuit concluded that “electronic storage,” as defined by the SCA, requires an intent to keep data for the exclusive purpose of being backed up. Moreover, for there to be a backup, there must be an original. Judge Kozinksi, who wrote the opinion in 2003, mused that “[a] remote computing service might be the only place a user stores his messages; in that case, the messages are not stored for backup purposes.”

That’s troubling: I can’t think of all the people I know who don’t use an email client like Outlook, but instead read their email straight from their web browser. In this case, they’re not storing a message for backup purposes; the message they’re viewing is the only copy! Because web apps like Gmail allow us to directly access the data that we have stored with a remote communications service, there is no longer a need to replicate the data (storing one file in one place and keeping a backup copy somewhere else). We’re interacting with the data, live, in a way that was difficult to do in 1986. The SCA makes no allowance for this. Because technology has become more efficient, making our lives more efficient, the SCA’s narrow, time-bound understanding of electronic storage means that all of those live interactions with data through the web browser are not protected by the SCA.

In 2009, a U.S. District Court in Illinois said exactly this. In U.S. v. Weaver, the court held that the SCA did not protect emails that were viewed only through Hotmail’s web interface and not downloaded somewhere else: “Microsoft [was] not storing [his] opened messages for backup purposes. Instead, Microsoft [was] maintaining the messages ‘solely for the purpose of providing storage or computer processing services to such subscriber or customer.’”

So, yes, the FBI can read your emails. They can also probably read your Facebook messages and Twitter direct messages, which all fall under the same analogy to postal mail that affords email any constitutional protection. This article mentions U.S. v. Warshak, a Sixth Circuit case that found the SCA’s 180-day distinction unconstitutional. The article notes that the FBI never mentioned it in its field manual. That’s true, but the FBI doesn’t have to; Warshak is the law only in the Sixth Circuit, not the rest of the country. So if you live in Ohio, Michigan, Kentucky, or Tennessee, congratulations, your email is protected! (Probably!)

What should you do? Lobby your Congresspeople, of course! The CNet article notes that multiple Congresspeople, including Rep. Zoe Lofgren of California and Sen. Patrick Leahy, have attempted to advance legislation that would eliminate the ridiculous 180-day provision (though, sadly, would not clear up what “electronic storage” means). Predictably, the Justice Department has exclaimed that it would make their job much harder if they couldn’t get at emails with just a subpoena. While that’s certainly true, lots of other things—like the Fourth Amendment itself—make DOJ’s job difficult. It would be really nice if they could walk into a private home and conduct a search without any reason at all. But, sadly, that’s not how our Constitution works. The burden rests with law enforcement to prove that they need to search or seize. Thanks to the SCA, however, that burden is extremely low. Until the SCA is reformed, you’d actually be better off sending your potentially incriminating communications through regular postal mail.

Want to learn more? This issue is squarely addressed in my recently-published law review article, Castle in the Cloud: Modernizing Constitutional Protections for Cloud-Stored Data on Mobile Devices.